Server Ubuntu 18.04

Check Ubuntu version:

$ lsb_release -a
LSB Version:    core-9.20170808ubuntu1-noarch:security-9.20170808ubuntu1-noarch
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.4 LTS
Release:        18.04
Codename:       bionic

If you get the message No LSB modules are available do:

$ sudo apt install lsb-core

Target is to setup an Ubuntu Home server with Dynamic DNS access.

The actual Ubuntu version is 18.04 LTE (April 2018, Long Term Edition, updates for Desktop 3 years, security updates for 5 years).

The mass storage is a 120 GB SSD.

Services: Wiki, Proxy for a webcam computer, volkszaehler, fail2ban, webDAV, calDAV, cardDAV (nextcloud).

Following most of the special software the installation is described.

Power Supply: 230 VAC, 8 W (dark display) , with battery backup.

/!\ Before switching to the new server, all data should be copied from the old server, and all services tested for good functionality.

/!\ Future After some time after Ubuntu 20.04 came out, a reccomendation for a in place Upgrade from 18.04 to 20.04 was made. The benefit is, that most services still work after upgrade. Just a few must be updated.

Upgrade Server 18.04 -> 20.04

/!\ To be done in the future.

On my Home Server the operating system is Linux/Ubuntu. Usually for a server the LTS version (Long Time System) is used. The last version was Ubuntu 18.04 (April 2018). Now I did an upgrade to Ubuntu 20.04 LTS.

After upgrade all services are tested, :

  1. Copy all pages from backup to the new server: /home/rudi/moin-1.9.9/wiki/data/pages/, see ServerUbuntu1604#Setup_moin_wiki, and do a cleancache.

  2. Check volkszaehler, see ServerUbuntu1604#Volkszaehler

  3. CheckNextCloud, see ServerUbuntu1604#DAV_Server_Baikal

  4. Start database insertion of Heizung data, see ServerUbuntu1604#Volkszaehler

  5. Test all services

Ubuntu 18.04 USB-Stick

The download page for Ubuntu 18.04 LTS is here, the 64 bit version is the default.

The program (version 608) to bring the ISO version on to an bootable USB-stick, which is available for Linux, Mac OS X and Windows can add a persistent area, but does not work under Mac OS X 10.11.5.

How to bring the ISO version on to an bootable USB-stick under Mac OS X, but it does not give a persistent area.

# Job done under Mac OS X 10.13.6 !HighSierra, Terminal

# change directory
$ cd Downloads

# convert ISO to IMG file
$ hdiutil convert -format UDRW -o ubuntu-18.04-desktop-amd64.img ubuntu-18.04-desktop-amd64.iso
Master Boot Record (MBR : 0) lesen …
Ubuntu 18.04 LTS i386            (Apple_ISO : 1) lesen …
 (Windows_NTFS_Hidden : 2) lesen …
Dauer:  7.592s
Geschwindigkeit: 90.5M Byte/s
Ersparnis: 0.0 %
created: /Users/rudi/Downloads/ubuntu-18.04-desktop-amd64.img.dmg

# rename
$ mv ubuntu-18.04-desktop-amd64.img.dmg ubuntu-18.04-desktop-amd64.img

# show disk names
$ diskutil list

# figure out disk name, Type: DOS_FAT_32
  -> /dev/disk4

# umount USB-Stick
$ diskutil umountDisk /dev/disk4
Unmount of all volumes on disk4 was successful

# copy Ubuntu ISO to USB-Stick
$ sudo dd if=ubuntu-18.04-desktop-amd64.img of=/dev/rdisk4 bs=1m
970+0 records in
970+0 records out
1017118720 bytes transferred in 208.745752 secs (4872524 bytes/sec)

That works, but it is better to have a persistant version, were you can add programs.

$ sudo add-apt-repository universe
$ sudo apt update
$ sudo apt install gddrescue
$ sudo ddrescue --help

More help for using ddrescue is here, in German.

Setup Ubuntu 18.04 Desktop

Provided hardware:

Software setup:

? * Select for the 1st Drive the USB stick

# edit /etc/default/grub, line 11
    #GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

$ sudo update-grub

Setup hostname and IP

In order to use SSL encryption it is important to use the right hostname. Also the TCP/IP number should be the same as before the old server had.

# file /etc/hostname

# file /etc/hosts       localhost.localdomain   localhost

# TCP/IP number:
# Setup in GUI network manager

Program Installation

A few programs should be installed:

Setup Vino (VNC server)

The VNC server Freigabe der Arbeitsfläche is protected with a password (o..).

In 18.04 there is a configuration feature (or bug), see at Links. To fix it do in the Terminal:

# check for flag
$ gsettings get org.gnome.Vino require-encryption
# set to false
$ gsettings set org.gnome.Vino require-encryption false
# enable Vino
$ gsettings set org.gnome.Vino enabled true
# Now you can use VNC

or in the GUI
# Start the Ubuntu Software-Center
# Enter Synaptic in the search field
# click on "Synaptic Package Manager" and "more info"
# click on "use this repository" universe

# That needs the repository "universe", which is not given in the USB-stick setup.
# /etc/apt/sources.list: deb trusty main restricted universe

$ sudo apt-get install dconf-tools
# start dconf-editor (System Tools)
# search for "require-encryption" and switch OFF the mark
# now the VNC connection should work.

GNOME flashback Metacity

It looks like, that Gnome-shell needs a lot of resources, and is not needed on a server. The alternative to Gnome-shell is to fall back to Gnome classic:

$ sudo apt-get install gnome-session-flashback

# logout you user
# In the logon mask click on the Ubuntu symbol and select '''GNOME Flashback (Metacity)'''
# login again with your user

Copy Folder and Files

Copy files and folders:




$ sudo chown -R www-data:www-data /var/www/

$ cd /home/rudi

# for Web Cam motion detect pictures
$ mkdir ftp

# for AVT-NET-IO Flash-ROM update
$ mkdir tftpboot

Setup postfix (email)

The setup should be done as described in UbuntuRaid1#Setup_Postfix_Email_send .

If another package has installed MTA (Mail Transfer Agent) Exim it should be exchanged with postfix, see ServerUbuntu1404#Setup_exim4_.28email.29.

# Before installing, you maybe have to change permissions:
$ sudo chown root:rudi /etc/aliases
$ sudo chmod g+w /etc/aliases

$ sudo apt-get install postfix

Setup apache2 web server

The Apache2 server is already setup by the package NextCloud.

Apache2 needs some modification in the setup:

# enable modules
$ sudo a2enmod dav
$ sudo a2enmod headers
$ sudo a2enmod proxy
$ sudo a2enmod proxy_http
$ sudo a2enmod proxy_html
# copy "proxy_html.conf" from the old server
$ sudo a2enmod xml2enc

$ sudo a2enmod ssl

# Add to file /etc/apache2/sites-enabled/default-ssl.conf
# below "DocumentRoot /var/www"
                # for  only
                <Directory />
                    Options FollowSymLinks
                    AllowOverride None

# 2014-10-15 Add security, edit file  mods-enabled/ssl.conf
  SSLProtocol all -> SSLProtocol all -SSLv2 -SSLv3
$ sudo service apache2 restart

# module wsgi for Python support
$ sudo apt-get install libapache2-mod-wsgi
$ sudo a2enmod wsgi

# Edit /etc/apache2/sites-enabled/000-default.conf
    DocumentRoot /var/www     # instead of /var/www/html

# Edit /etc/apache2/sites-enabled/default-ssl.conf
    DocumentRoot /var/www     # instead of /var/www/html

$ sudo service apache2 restart

# check for virtual hosts
$ sudo apache2ctl -S
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server (/etc/apache2/conf-enabled/httpd.conf:5)
         port 80 namevhost (/etc/apache2/conf-enabled/httpd.conf:5)
         port 80 namevhost (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  is a NameVirtualHost
         default server (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
PidFile: "/var/run/apache2/"
User: name="www-data" id=33
Group: name="www-data" id=33

# add user to group www-data (for tests)
$ sudo usermod -a -G www-data rudi
$ sudo logout
# login again
$ groups
rudi adm cdrom sudo dip www-data plugdev lpadmin sambashare

# change from apache 2.2 to 2.4 for virtual hosts in:
#                    /etc/apache2/conf-enabled/httpd.conf   (for wiki, wiki9)
# Redirect permanent to https://
<VirtualHost *:80>
    # 2019-07-15 RR
    Redirect permanent /
#                    /etc/apache2/mods-available/proxy.conf (for wiki1 = Heizung)
    Order deny,allow
    Allow from all
    Require all granted

$ sudo service apache2 restart

After copying the moin-1.9.9 installation from the old server do a cleancache, see ServerUbuntu1604#Setup_moin_wiki

Proxy for wiki1 web

To proxy another Web-Server (Heizung) trough the main Web-Server you need a few apache2 modules:

$ sudo a2enmod proxy
$ sudo a2enmod proxy_http
$ sudo a2enmod proxy_html

# Then you have to setup:
# If "proxy_html.conf" is missing, then the "logo" of wiki1 is missing.

$ sudo service apache2 restart

In order to connect via network to the Ubuntu server the following connection can be setup in Finder:

# Network connection with SMB, with R/W, with the share option in Linux

# Network connection with VNC Virtual Network Computing, Remote Desktop

# WebDAV, Web-based Distributed Authoring and Versioning

# Network connection with AFP Apple File Protocol, with R/W
# CAUTION: This will generate a lot of hidden (.) files.

For webDAV setup please see at AndroidNotes#Setup_webDAV_Storage.

Setup moin wiki

Because the moin installation (wiki9, wiki) is in the /home folder it can be copied from old server to new server. Just the permissions have to be adjusted.

# wiki9
# adjust permissions
$ sudo chown -R www-data:www-data moin-1.9.9
# allow group write
$ cd moin-1.9.9
$ sudo chmod -R ug+rwx wiki

# After each copying of the pages, clean the cache!
# the utility "" needs the user and group "execution" bit.
$ cd moin-1.9.9
$ ./ maint cleancache

The backup of the wiki pages is described in MoinBackup.

Setup SSH

In order to work, the files /etc/hostname and the /etc/hosts have to setup properly, see ServerUbuntu1204#Setup_hostname_and_IP.

/!\ If you change the server, even with the same host name and IP address, the SSH key is changed, so you have to renew all connections. To make it easier to edit the file known_hosts to remove (parameter -R) a no longer valid IP number, you can use a command:

$ sudo ssh-keygen -f "/root/.ssh/known_hosts" -R

For Mac OS X the file /User/rudi/.ssh/known_hosts has to be changed. The target IP address line must be deleted. At the next connection try it is asked if the new host is trustworthy. Answer with yes and the connection is stored again in the known_hosts file.

Data backup with Back in Time

The Ubuntu standard program deja dup (GUI for duplicity) I do not like, because it uses a proprietary archive format.

Because I made good experience with the Mac OS X program Time machine I looked for something similar, and found '''Back In Time''' (based on rsynch). There I could save the folders

every day to the SD-card (or harddisk). The version 1.2.0 is the actual version.

I use a 32 GB SD-card class 10, for the preparation see DockStarBackup#Backup_Media.

After the first full backup (snapshot), the following backups saves only new and changed files, in case of no data change only hard links are set in order to save space.

If the free space left on the backup media is less than 1 GB (parameter) old snapshots can be smart removed (Settings/Auto-remove):

Copy the Installation to another media

In order to make a bootable backup, or copy the (bootable) installation to another media, the following procedure proved to be working:

# Boot with an Ubuntu 18.04 live media, USB-stick with persistant area (dev/sdc1).
# USB-stick is prepared with program unetbootin (Linux, Mac OS, Windows, see link)
# disk /dev/sdb1 is a SD-card for Back in Time

# Install program synaptic, in order to get the "univers" repository.
# Install the program ddrescue.
$ sudo apt-get install gddrescue

# Backup the 16 GB SSD of the source system to an USB harddisk
# Source media is an internal SSD on /dev/sda1 (file system ext4)
# Target media is an USB harddisk on /dev/sdd1 (file system ext4)
$ sudo ddrescue -f /dev/sda1 /dev/sdd1 ddrescue_sdd1.log

# Copy to the Target system -------------
# Source media is an USB harddisk on /dev/sdd1 (file system ext4)
# Target media is an internal SSD on /dev/sda1 (file system ext4)
# The target media should have a partition size with similar size of the source partition.
# Partition resize is made with program Gparted.
# Example (ddrescue shows the progress and data rate):
$ sudo ddrescue -f /dev/sdd1 /dev/sda1 ddrescue_sda1.log
# ddrescue will report at the end of copying an error of partition size mismatch.

# Install the Grub boot loader:
$ sudo mount /dev/sda1 /mnt
$ sudo grub-install --root-directory=/mnt /dev/sda

# Fix partition size mismatch
$ sudo resize2fs /dev/sda1

# Check target media file system, must be OK to proceed
$ sudo umount /mnt
$ sudo fsck.ext4 /dev/sda1

# Shut down (remove all other media) and reboot with /dev/sda
$ sudo reboot
# If there is a boot message about missing mass storage, say "skip".
# The system will repair /etc/fstab

The last action is to adjust /etc/fstab, if needed:

# Find UUID's of the drives
$ sudo blkid
/dev/sda1: UUID="89cb8d0c-200e-4022-8746-18603304d2c8" TYPE="ext4" 
/dev/sda2: UUID="fd0b068b-ca58-4bef-8772-468f6c21c441" TYPE="swap"  
/dev/sdb1: LABEL="SAVE" UUID="5924b296-d3eb-4323-bec6-da750b2642e8" TYPE="ext4"

# change /etc/fstab, if not already done
# <file system>                 <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    nodev,noexec,nosuid 0       0
# / was on /dev/sda1 during installation
UUID=89cb8d0c-200e-4022-8746-18603304d2c8 /      ext4    errors=remount-ro 0       1
# swap was on /dev/sda2 during installation
UUID=fd0b068b-ca58-4bef-8772-468f6c21c441 none   swap    sw              0       0

Setup netatalk

Apple afp network protocol, if needed. It needs two changes:

# file /etc/netatalk/AppleVolumes.default
# change "Home Directory" to "home_dir72", the blank char. gives a problem
# and for computer to computer copying it needs an address (72).

# file /etc/netatalk/afpd.conf
# append last line
--tcp -noddp -uamlist, -nosavepassword -setuplog "default log_info /var/log/afpd.log" -mimicmodel RackMac

$ sudo /etc/init.d/netatalk restart
$ sudo service netatalk restart

But the practice shows, that Mac OS X will place a lot of invisible files (e.g. .DS_store) in all folders. So, it is better to use the smb protocol (smb://IP-address).

Share for wiki synch

In order to synch the wiki data to a backup server (Mac OS X,, you need a share of the home/rudi/ folder.

# First install:
$ sudo apt-get install libpam-smbpass # 2019-04-19 no longer available

# in Nautilus file browser enable share with name: rudi-74
#   enable write access
# to activate it, do: logout -> login 

FTP Server

For the web cam D-Link DCS932L a FTP server is needed, where to send the pictures, in case of a motion detection. FTP has the IP ports 20 Data and 21 Control. For security reasons those ports are not accessible from internet, they are just open in the inhouse network.

$ sudo apt-get install vsftpd

# setup the FTP data folder
$ cd /home/rudi
$ mkdir ftp

# edit /etc/vsftpd.conf  (with sudo)

# make the ftp folder the default folder.

# allow to write to the ftp folder (remove comment).

# apply the changes
$ sudo service vsftpd restart

Use of iptables

In order to reject IP numbers which causes errors in log files, you can use iptables.

Use package fail2ban to find the bad IP adresses, see next chapter.

# install iptables
$ sudo apt install iptables-persistent netfilter-persistent

# check the modules
$ lsmod | grep tab
ip6table_filter        16384  0
ip6_tables             32768  1 ip6table_filter
iptable_filter         16384  1
ip_tables              32768  1 iptable_filter
x_tables               40960  6 ip6table_filter,iptable_filter,xt_multiport,ip6_tables,ipt_REJECT,ip_tables

# Syntax to block an IP address under Linux, e.g.
$ sudo iptables -A INPUT -j DROP -s 

# How Do I Unblock An IP Address? e.g.:
$ sudo iptables -D INPUT -j DROP -s

# How Do I View Blocked IP Address (-n numeric only, no Host DNS)) *****
$ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 5374 packets, 2713K bytes)
 pkts bytes target     prot opt in     out     source         destination         
  425 39867 f2b-apache-newaccount  tcp  -- * *   multiport dports 80,443
 1445  104K f2b-sshd   tcp  --  *      *   multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source         destination         

Chain OUTPUT (policy ACCEPT 2596 packets, 545K bytes)
 pkts bytes target     prot opt in     out     source         destination         

Chain f2b-apache-newaccount (1 references)
 pkts bytes target     prot opt in     out     source         destination         
  425 39867 RETURN     all  --  *      *           

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source         destination         
 1445  104K RETURN     all  --  *      * 

# How Do I Search For Blocked IP Address?
$ sudo iptables -L INPUT -v -n | grep

# find IP numbers of "AttributeError"
$ cat /var/log/apache2/error.log | grep AttributeError | cut -d ' ' -f 10 | sort

If you want to see more what iptables is doing, see here.

A Reverse DNS Lookup does seldom work on those IP addresses.

If you want to know from which location the IP address comes you can use a Location Finder, e.g.:       France   OVH SAS  USA      Nobis Technology Group LLC  China    ChinaNet Shanxi (SN), CHINANET-BACKBONE  USA      Washington,    Romania  Bihor, SC Netsilvania Network SRL, Parfumuri SRL

Setup of fail2ban

Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc.. and uses iptables profiles to block brute-force attempts.

For the moin wiki I have added a new filter apache-newaccount.conf in order to ban computers, which try to open an new account, which is anyway blocked, but cost resources.

For more detailed indormation, please see in the links, and DockStarDebian#Use_of_fail2ban.

To install fail2ban, type the following in the terminal:

$ sudo apt-get install fail2ban 

This will install:
fail2ban (Server + Client)
python-pyinotify all 0.9.4-1build1 [24,5 kB]
whois i386 5.1.1 [29,5 kB]

$ fail2ban-server -V
Fail2Ban v0.10.2

To configure fail2ban, make a '.conf-copy' copy the jail.conf file in /etc/fail2ban and edit

$ cd /etc/fail2ban
$ sudo touch jail.local 

# Edit jail.local with nano:
# ignoreip: /24 meant mask -> allow last segment 
ignoreip =

# ACTIONS, global, especially for SSH, please see at the Links
banaction = iptables-allports
# if multiport is used, the attacker can try also on other ports

maxretry = 2

#enabled = false
enabled = true

#enabled = false
enabled = true

#enabled = false
enabled = true

#enabled = false
enabled = true

#enabled = false
enabled = true

#enabled = false
enabled = true

#enabled  = false
enabled = true

# In order to get the new parameters activated do:
$ sudo service fail2ban restart

Check for an installed iptables package:

$ which iptables

or more verbose:

$ apt-cache policy iptables
  Installiert: 1.4.12-1ubuntu4
  Kandidat:    1.4.12-1ubuntu4
 *** 1.4.12-1ubuntu4 0
        500 precise/main i386 Packages
        100 /var/lib/dpkg/status

To test fail2ban, look at iptable rules:

# Start fail2ban
$ sudo /etc/init.d/fail2ban restart

# Test if service is running:
$ /etc/init.d/fail2ban status                                      
Status of authentication failure monitor: fail2ban is running

# use option -n, otherwise host name lookup takes a long time
$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-apache-newaccount  tcp  --      multiport dports 80,443
f2b-sshd   tcp  --        multiport dports 22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-apache-newaccount (1 references)
target     prot opt source               destination         
RETURN     all  --             

Chain f2b-sshd (1 references)
target     prot opt source               destination         
RETURN     all  --  

# check for the regexpr in the filter, example
$ fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf

In order to log, how many IP's are banned every day, a cron job was setup:

$ cat Install/fail2ban/
# file:
# log daily the number of banned IP's
# sudo crontab -e
#   PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#   # fail2ban ban number logging per day
#   0 1 * * * /home/rudi/Install/fail2ban/
# 2017-07-17 RudolfReuter

day=$(date +%Y-%m-%d)
ips=$(iptables -L -n | wc -l)
#echo $day "Number of banned IPs " $ips
echo $day "Number of banned IPs " $ips >>/home/rudi/Install/fail2ban/IPs_banned.log

# to see what is going on                        *****
$ tail /home/rudi/Install/fail2ban/IPs_banned.log
2018-12-17 Number of banned IPs  80
2018-12-18 Number of banned IPs  85

In order to show the status of all fail2ban jails at once the following script is needed:

# Create a shell file and add the following up to # EOF
$ cd /home/rudi/Install/fail2ban
$ nano

JAILS=`fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'`
for JAIL in $JAILS
  fail2ban-client status $JAIL

# make the file executable
$ chmod ug+x

# Test the script
$ cd /home/rudi/Install/fail2ban
$ sudo ./ 
Status for the jail: apache-newaccount
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     1
|  `- File list:        /var/log/apache2/access.log
`- Actions
   |- Currently banned: 20
   |- Total banned:     20
   `- Banned IP list:
Status for the jail: apache-noscript
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/apache2/error.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:

# As you can see, my moinmoin wiki is heavily attacked.
# The command "newaccount" is allowd only for the administrator.

monimoin newaccount

Blocking IP-numbers which try to setup a new account in the moin wiki. I had about 5100 attacks within 6 days. It is not easy to figure out the failregex setup. You have to look up the already provided setup's and the log entry line you want to filter.

# Edit a new file in /etc/fail2ban/filter.d/ with nano

$ sudo touch filter.d/apache-newaccount.conf
$ sudo nano filter.d/apache-newaccount.conf
# Fail2Ban configuration file
# Author: RudolfReuter
# $Revision$


# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
failregex = ^<HOST> .*action=newaccount

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
ignoreregex = ''
#----- EOF -----

# Add to the file "jail.local" in /etc/fail2ban

enabled = true
port     = http,https
filter   = apache-newaccount
logpath  = /var/log/apache*/access.log
maxretry = 2
#----- EOF -----

# reload fail2ban config file
$ sudo /etc/init.d/fail2ban reload

# check for running
$ sudo /etc/init.d/fail2ban status
 * Status of authentication failure monitor   
 *  fail2ban is running

# check the number of attacks in the apache2 log  *****
$ cat /var/log/apache2/access.log | grep newaccount | wc -l


In case someone tries to access Nextcloud who is not allowed, this IP number should be blocked:

# Create the Nextcloud-filter:
$ sudo nano /etc/fail2ban/filter.d/nextcloud.conf
# Paste the following lines, this will cover GUI Failed login and WebDAV:
failregex=^{.*Login failed: .* \(Remote IP: <HOST>\).*}$
ignoreregex =

# Create a new jail, and add to the list
$ sudo nano /etc/fail2ban/jail.local
# Paste the following rows:
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
#Number of retrys before to ban
maxretry = 2
#Log path, on Ubuntu usually following
logpath = /var/www/nextcloud/data/nextcloud.log

# Re-start the fail2ban-service:
$ sudo service fail2ban restart

# Test regexpression
$ fail2ban-regex /var/www/nextcloud/data/nextcloud.log /etc/fail2ban/filter.d/nextcloud.conf --print-all-matched

Root Cron

There are 3 root cron jobs are setup:

$ sudo crontab -l
# fail2ban ban number logging per day
0 1 * * * /home/rudi/Install/fail2ban/

#Back In Time system entry, this will be edited by the gui:
0 0 * * * /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n7 /usr/bin/backintime --backup-job >/dev/null 2>&1

# for heizung volkszaehler copy remote data to local
*/5 * * * * /root/ >/dev/null 2>&1


The Volkszaehler software was setup to visualize more flexible the temperatures of my heating system.

The first step is to get the data from the Heizung Server via cron job:

$ sudo cat /root/
no talloc stackframe at ../source3/param/loadparm.c:4864, leaking memory
# File:
# 2014-02-14 RudolfReuter
# copy actual temperatures from Heizung to local folder
# remote: /var/volatile/www/heizdata.csv
# local: /var/volatile/www/heizdata.csv

sshpass -p 'oz***' scp -qp -o StrictHostKeyChecking=no  rudi@ /var/volatile/www/heizdata.csv

The second step is to insert the data into the database (mysql), every 5 minutes.
/!\ This should be done only, when the server swapping is finished.

# insert the transfered data into the database:
# create a link to vzclient
$ sudo ln -s /var/www/ /usr/local/bin/vzclient 

# setup cron job
$ crontab -e
# If you get a permission problem:
$ sudo chown rudi:crontab /var/spool/cron/crontabs/rudi

# append to the file

# copy heizung values to volkszaehler database, every 5 minutes
*/5 * * * * /home/rudi/Install/volkszaehler/ > /dev/null
< empty line >

/!\ If there is no longer a data transmission, check the ssh connection from rudiswiki14 to FADS90.

The second job is to visualize the water counter of the house, see Pollin_AVR_NET-IO and ProximitySwitchInductive. The AVR-NET-IO board directly writes into the mysql database via network and the volkszaehler middleware.

Before switching the server the database (mysql) on the new server must be updated:

# dump the database on the old computer
# Attention, a dump with phpmyadmin does NOT work.
$ sudo mysqldump -u root -p volkszaehler >vz_heizung3.sql
[sudo] password for rudi:
Enter password:

# restore the database on the new computer, the existing tables are dropped before restore.
$ sudo mysql -u root -p volkszaehler < vz_heizung3.sql
[sudo] password for rudi:
Enter password:


2019-07-16 Update to Nextcloud version 16.03 and Calendar version 1.7.

The reason for installing NextCloud was the Calender and Contact synchronisation with iOS and MacOS.

Download the package from nextCloud.

Help for command line installation

Help for Maria DB - reset you root password


$ cd Download
$ unzip
$ sudo mkdir /var/www
$ sudo cp -R nextcloud /var/www/
$ sudo chown -R www-data:www-data /var/www/nextcloud

# add user to group www-data (for tests)
$ sudo usermod -a -G www-data rudi
# user logout
# login again
# check groups
$ groups
rudi adm cdrom sudo dip www-data plugdev lpadmin sambashare

# Prerequisites for manual installation 
$ sudo apt-get install apache2 mariadb-server libapache2-mod-php7.2
$ sudo apt-get install php7.2-gd php7.2-json php7.2-mysql php7.2-curl php7.2-mbstring
$ sudo apt-get install php7.2-intl php-imagick php7.2-xml php7.2-zip

$ sudo mkdir /var/www/nextcloud/data

# setup maria DB
$ sudo mysql -u root
MariaDB [(none)]> UPDATE mysql.user SET password = PASSWORD('<password>') WHERE user = 'root';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

MariaDB [(none)]> UPDATE mysql.user SET authentication_string = '' WHERE user = 'root';
MariaDB [(none)]> UPDATE mysql.user SET plugin = '' WHERE user = 'root';
MariaDB [(none)]> exit

$ sudo mysql_secure_installation  
    Enter current password for root
    Change the root password? n
    Remove anonymous users? n
    Disallow root login remotely? n
    Remove test database and acces to it? n
    Reload priviledge tables now? y
Thanks for using MariaDB

$ sudo mysql -u root -p
        create database nextcloud;
        create user nxtcloudadmin@localhost identified by '<password>';
        grant all privileges on nextcloud.* to nxtcloudadmin@localhost identified by '<password>';
        flush privileges;

$ sudo service mysql reload

# setup NextCloud
$ cd /var/www/nextcloud/
$ sudo -u www-data php occ  maintenance:install --database "mysql" --database-name "nextcloud"  --database-user "root" --database-pass "<password>" --admin-user "admin" --admin-pass "<password>"

Nextcloud was successfully installed

# setup NextCloud admin user
# In order to install apps, the user must belong to group admin
$ sudo -u www-data php occ user:add --display-name="rudi" --group="users" --group="db-admins" --group="admin" rudi
[sudo] Password for rudi:
Enter password:
Confirm password:
The user "rudi" was created successfully
Display name set to "rudi"
Create group "db-admins"
User "rudi" added to group "db-admins"
User "rudi" added to group "admin"

Next take care about the web server configuration

Test if the web server apache2 is running by entering in the URL line http://localhost. You should see the Apache2 Ubuntu Default Page.

# create the apache2 config file for NextCloud
$ sudo touch /etc/apache2/sites-available/nextcloud.conf

# Edit the config file
$ sudo nano /etc/apache2/sites-available/nextcloud.conf
Alias /nextcloud "/var/www/nextcloud/"

<Directory /var/www/nextcloud/>
  Options +FollowSymlinks
  AllowOverride All

 <IfModule mod_dav.c>
  Dav off

 SetEnv HOME /var/www/nextcloud
 SetEnv HTTP_HOME /var/www/nextcloud


# activate the NextCloud configuration
$ sudo a2ensite nextcloud.conf
$ sudo a2enmod rewrite
$ sudo a2enmod headers
$ sudo service apache2 restart

In order to install the NextCloud Apps Calendar and Contacts do:

# login with web browser to URL "localhost/nextcloud"
# A web mask appears and log in with user "rudi" and password.

# Install apps "calendar" and "contacts"
# click on the user icon on the upper right edge
# click on "+ Apps"
# click on App-Pakete->Groupware-Pakete
#     click on "Herunterladen und aktivieren" right of calendar and contacts
# The icons from apps calendar and contacts appear in the top bar.

CalDAV CardDAV backup

Especially the Calendar data are time sensitive, so a daily automatic backup is needed.

Fortunately BernieO provided an excellent bash script. This Bash script exports calendars and addressbooks from ownCloud/Nextcloud to .ics and .vcf files and saves them to a compressed file. Additional options are available. Setup:

# Download package to user folder:
$ git clone

# change path
$ cd calcardbackup

# change owner to NextCloud owner, take care about the . (dot)
$ sudo chown -R www-data:www-data .

# make a compressed backup with user "www-data" to folder ~/calcardbackup/backups
$ sudo -u www-data ~/calcardbackup/calcardbackup  "/var/www/nextcloud"

# add it to a daily CRON job
$ sudo nano /etc/crontab
# add to the end of the file:
# calcardbackup at every day at 2 o'clock with user "www-data"
0 2 * * * www-data /home/<user>/calcardbackup/calcardbackup "/var/www/nextcloud" > /dev/nul
<empty line>

# check in the log for a run of the script
$ grep www-data /var/log/syslog
Jul 17 02:00:01 rudiswiki74 CRON[2215]: (www-data) CMD (/home/rudi/calcardbackup/calcardbackup "/var/www/nextcloud" > /dev/null)

/!\ In case you want to start a CRON job with a different user, you need to set it up in the file /etc/crontab.

WebDAV Server

The webDAV service is realized with the apache2 server. For security reasons, it can only be accessed via SSL. The setup is done with:

# enable apache2 modules
$ sudo a2enmod dav
$ sudo a2enmod dav_fs

# edit file /etc/apache2/sites-enabled/default-ssl.conf
# insert in the VirtualHost area
        Alias /dav "/var/www/dav/"
        <Directory "/var/www/dav/">
            DAV on
             Options +Indexes

$ sudo service apache2 reload

Access webDAV folder with web browser URL

Force disk check on boot

If you want to make a disk file system check at boot time you have to create an empty file in the root folder:

$ sudo touch /forcefsck

List of pages in this category:

-- RudolfReuter 2019-04-03 17:50:56

Go back to CategoryServer or FrontPage ; KontaktEmail (ContactEmail)

ServerUbuntu1804 (last edited 2020-06-07 17:36:38 by RudolfReuter)